b'     Office of Inspector General\n\n\n\n\nControls Over Laptops\n\n          March 31, 2008\n     Inspection Report No. 441\n\x0c                                                  UNITED STATES\n                           SECURITIES AND EXCHANGE COMMISSION\nOffice ofInspector\n     General                                WASHINGTON, D.C. 20549\n\n\n           To:       Corey Booth, Chief Information Officer\n\n                     Cathy English, Acting Associate Executive Director, Office of Administrative\n                     Services\n\n\n           From: H. David Kotz, Inspector Gener\'/f;pi\n\n           Date: March 31, 2008\n\n           Re:       Office of Inspector General- Controls Over Laptops Inspection (No. 441)\n\n           Attached is our final inspection report on the Controls Over Laptops. Your\n           comments to the draft report have been incorporated as appropriate.\n\n           Management concurred with all 5 of our recommendations. We appreciate the\n           courtesy and cooperation that was extended to our staff during this inspection.\n\n           Attachment\n\n           cc:       Peter Uhlmann\n                     Diego Ruiz\n                     Cristal Perpignan\n                     Mark Degner\n                     Daniel Lisewski\n                     Darlene Pryor\n\n                     Richard Hillman, GAO\n\x0c                      Table of Contents\nExecutive Summary                                                    2\nObjectives, Scope, and Methodology                                   3\nBackground                                                           3\n\nInspection Results                                                  4\n      Policies                                                      4\n      Inventory                                                     6\n      Accountability                                                7\n      Discussion of Management\'s Comments               :           8\n\n      Appendices\n           Definitions/Criteria from GAO, OMB and SEC       Appendix A\n           List of Recommendations                          Appendix B\n           Management\'s Comments                            Appendix C\n\x0c                                                                                  Page 2\n\n\n\n\n       CONTROLS OVER LAPTOPS\n\n                     EXECUTIVE SUMMARY\nThe Office of the Inspector General of the Securities and Exchange Commission\nconducts regular audits and inspections of Agency operations to promote the\neffectiveness, in~egrity and efficiency of the SEC.\nWe conducted an inspection of the Office of Information Technology\'s (OIT) control\nover laptops. Our inspection concluded that OIT does not have the proper\naccountability over laptops. Although laptops are not considered accountable\nproperty, they are sensitive items containing proprietary information, and if lost\ncould result in negatively affecting the SEC\'s image. The SEC is privy to an\nenormous amount of non-public and sensitive market data and most of it is stored on\nlaptops. We are aware of OIT\'s encryption initiative and we commend them for this\nnecessary security control. However, this review looked at controls over laptops (the\nequipment) and recognizes that encryption can mitigate the risk of data being\naccessed, but this still does not eliminate the need to have proper accountability over\nthe equipment.\nBased on our findings in this inspection, we recommend that laptops be deemed\nsensitive property within the SEC and are accounted for properly. According to the\nSEC\'s property management manual, sensitive property refers to items that have\ncharacteristics deemed sensitive because they are potentially pilferable, dangerous,\nvital to continued operations, or if lost could negatively affect the Agency\'s image.\nWe also determined that control over laptops is weak due to the lack of an inventory,\nor another method of accountability to ensure that the SEC has an accurate account\nof its laptops. Furthermore, we were unable to trace ownership of laptops to specific\nindividuals. Therefore, if a laptop were lost or stolen, the SEC would have difficulty\nidentifying its rightful owner. As a result of these weaknesses, laptops are susceptible\nto loss and theft.\nCommission management concurred with our five recommendations. Their formal\nwritten response is included as Appendix C.\n\n\n\n\nCONTROLS OVER LAPTOPS INSPECTION                                        MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                 Page 3\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nOur objective was to assess the adequacy of controls over laptops and compliance\nwith relevant guidelines. To accomplish our inspection objective, we:\n\n   \xe2\x80\xa2   Interviewed members of the Office of Administrative Services\' Property\n       Management Office (PMO) and Office ofInformation Technology\'s Asset\n       Management Branch (AMB).\n   \xe2\x80\xa2 Reviewed policies and procedures for control of laptops, existing laptops and\n       movement from one location to another.\n   \xe2\x80\xa2 Reviewed physical inventory documentation.\n   \xe2\x80\xa2 . Evaluated the use of the SEC-406A Property Transaction Report Form (Form\n       406A):\n   \xe2\x80\xa2   Reviewed data found in hardware/software release reports in order to trace\n       laptops from original purchase to issuance to an SEC employee.\n   \xe2\x80\xa2   Analyzed a judgmental sample of hardware/software releases in calendar\n       year 2007.\n\nThe scope of the inspection was limited to laptops only. This review did not look at\nany other IT equipment or the data on the laptops. We did not look at the\nprocedures for acquisition, surplus or physical security \xc2\xb7of laptops. Consequently, our\nreview and report focus on data that could be obtained from OAS and AMB affecting\nthe overall efficiency and effectiveness of laptop controls and found deficiencies\nwhich we believe warrant quick action.\n\nWe conducted this inspection from October 2007 to February 2008 in accordance\nwith the Quality Standards for Inspections, issued in January 2005, by the President\'s\nCouncil on Integrity and Efficiency and the Executive Council on Integrity and\nEfficiency.\n\n\n                             BACKGROUND\nThis inspection was performed because of concerns within the Federal government\nrelating to the protection of sensitive property and information as well as the\ndiscovery of internal problems within the SEC regarding the accountability of IT\nequipment. We also recognize that establishing and maintaining effective\naccountability controls over laptop computers is essential and necessary to ensure\nthat valuable and proprietary data is not lost or stolen, causing undue damage to the\nagency and its image.\n\n\nResponsibilities\nPMO is responsible for the overall property management within the SEC. PMO\nissues property management regulations to cover policies and procedures relative to:\n   \xe2\x80\xa2   Requirement determinations.\nCONTROLS OVER LAPTOPS INSPECTION                                       MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                   Page 4\n\n\n   \xe2\x80\xa2   Acquisitions.\n   \xe2\x80\xa2   Receiving.\n   \xe2\x80\xa2   Controls.\n   \xe2\x80\xa2   Maintenance.\n   \xe2\x80\xa2   Accountability.\n   \xe2\x80\xa2   Inventory.\n   \xe2\x80\xa2   Utilization.\n   \xe2\x80\xa2   Disposal.\nThe office also provides program oversight concerning organizational performance of\nproperty management responsibilities and ensures compliance with SEC Property\nManagement Directives.\nAMB is responsible for information technology asset management, inventory\ntracking (software/hardware), and infrastructure upgrades/deployments. Their\nduties include planning, coordinating and deploying management for releases of new\nsoftware and hardware throughout the SEC. AMB also plans, coordinates, and\noversees all physical moves of technology equipment and they oversee inventory\nmanagement and reconciliation for all technology equipment. AMB serves as the\ninventory control point for the acquisition, storage and issuance of IT equipment.\nAMB is the utilization coordinator for the reassignment and disposal of IT assets.\nAMB and PMO interface regarding all IT property issues.\n\n\n\n                       INSPECTION RESULTS\nWe found several issues with controls over laptops. We concluded that effective\naccountability of laptop computers simply did not exist. First, the draft property\nmanagement policy does not identify Commission-wide items such as laptops as\nsensitive property. Secondly, a Commission-wide inventory oflaptop computers has\nnot been performed since 2003. Thirdly, due to the absence of a baseline inventory,\nwe were unable to trace ownership of laptops to a specific individual. As a result of\nthese weaknesses, laptops are extremely susceptible to theft without detection.\nWe discussed the deficiencies mentioned above with OIT and OAS, and they agreed\nto take action to resolve these issues.\n\n\nPOLICY\nPMO is responsible for establishing the policy governing property management to\ninclude laptops.\n\nPMO\'scurrent property management regulation and manual, SECR 9-2 and SECM\n9-1, dated July 2003, state that the objective is to establish cost effective accounting,\ntracking, and proper use of government property and its removal, transfer, or other\nCONTROLS OVER LAPTOPS INSPECTION                                         MARCH 31 , 2008\nINSPECTION 441\n\x0c                                                                                                            Page 5\n\n\ndisposal in an authorized and appropriate manner. This policy although fairly old,\nclearly outlines how the SEC will account for and control accountable property with\nan acquisition cost of $5,000 or more, primarily through the use of conducting\ninventories. The policy contains procedures for conducting inventories on\naccountable property and moving and transferring furniture and equipment,\nincluding IT equipment. It delegates authority for all IT equipment to OIT. Due to\nthe vast difference in costs of IT equipment, the SEC has both inventoried and non-\ninventoried IT items. Consequently, laptops are accounted for as non-inventory\nitems and are not subject to an annual inventory.\n\nThe Commission\'s current policy delegates control of non-inventoried property with\nan acquisition cost less than $5,000 to Directors and Office Heads within the agency.\nThe policy states that they are responsible for maintaining reasonable controls over\ntheir non-inventoried property to safeguard it against improper use, theft, and\nundue deterioration. It also states that special inventories over non-inventoried\nproperty may be called for if deemed appropriate by PMO.\n\nDuring this review we reviewed other Federal agencies policies on laptops and found\nthat they identified laptops as sensitive property and conducted annual inventories,\ndespite acquisition costs. The OIG believes that items such as laptops should be\nidentified as sensitive. SEC\'s current property management policy states that SEC\ndoes not have sensitive property. We understand that OAS is currently revising this\npolicy. The draft policy indicates that the SEC may have sensitive property and\nassigns the responsibility for identifying the sensitive property to Directors and\nOffice Heads.\n\nWe reviewed a recent GAOl report of the Department of Veterans Mfairs that was\nsimilar in scope to this inspection and concluded "policies requiring annual\ninventories of sensitive items, such as IT equipment... have not been enforced." SEC\nhas a similar q.eficiency; however, we found that policy requiring annual inventories\nof sensitive items has not been developed primarily because the SEC has not\nidentified any sensitive property.\n\nIn order for sensitive property to be identified throughout the SEC and to ensure\nthat the issues with sensitive property are properly addressed, senior management\'s\ninvolvement is imperative. Although PMO and AMB have taken some actions to\naddress issues over sensitive property, such as updating policies and procedures and\ndeveloping a spreadsheet to track the issuance of laptops; this task requires the\ncommitment and use ofIT specialists throughout the SEC.\n\nTherefore, we believe that OAS should change the draft to identify agency-wide\nsensitive property to include laptops. The policy should also establish a means to\naccount for and track the items through the use of annual inventories. In addition,\nthe policy should also require Directors and Office Heads that manage sensitive\nitems to put internal controls in-place which may include requiring receipt\n\n\n1 GAO-07-11 OOT Entitled" Lack of Accountability and Control Weaknesses over IT Equipment at Selected VA Locations"\ndated July 24, 2007, Testimony Before the Subcommittee on Oversight and Investigations, Committee on Veterans\'\nAffairs, House of Representatives.\nCONTROLS OVER LAPTOPS INSPECTION                                                               MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                 Page 6\n\n\nsignatures, producing separate listings of sensitive items and/or limiting access to\nsensitive items.\n\nWe recognize that sensitive items which do not meet the accountable and capitalized\nproperty thresholds will not be included in the Accountable and Capitalized\nProperty System (TRAQs) but they still should be accounted for properly.\n\n\nRecommendation A\nOAS should revise its draft policy to identify Commission-wide sensitive items and\nallow Directors and Office Heads to determine if they have additional items that\nshould be deemed sensitive.\nRecommendation B\nOAS should require a method of accountability for sensitive property that will\nensure that SEC has an accurate accounting of laptops.\n\n\nINVENTORY\nWe found that a complete inventory of laptops has not been performed. In 2005,\nAMB began a laptop inventory; however, AMB officials said it was not completed\ndue to resource constraints. AMB currently has a branch chief and staff of seven\nindividuals that are responsible for procurement, receiving, tracking, storage,\ndistribution, maintenance and the disposal of IT equipment. In order for them to be\nable to properly account for IT assets, they must utilize the help ofIT specialists\nthroughout the SEC.\nOur inspection further found that other Federal agencies track and account for\nsensitive property such as laptops by conducting annual inventories. We tried to\ndetermine the total number of laptops in the SEC and how many of them were\nassigned to OIT, but could not get a definitive answer. When we asked AMB how\nthey accounted for the laptops within the SEC, we were told they rely on Microsoft\nSystems Management Server (SMS), reports to give them an accounting. SMS is an\nautomated discovery tool used by SEC to capture information for equipment\nattached to the network. This tool is effective for providing a snapshot of the\nequipment logged onto the network and can be used to forecast network use, but we\nbelieve it should not be used as an inventory tool because the results are too\nsporadic. For example, the SEC has employees and contractors that are mobile, who\nmay not log onto the network on any given day. Thus, their equipment would not be\ncaptured through SMS until they log on to the network.\nOIG believes that a baseline inventory must be performed immediately for sensitive\nproperty and AMB should solicit help from IT specialists (assigned to other offices\nand divisions) within the SEC to conduct the inventory. \'\nRecommendation C\nOIT, through AMB should complete a full inventory of laptops to establish a baseline\nlevel.\nCONTROLS OVER LAPTOPS INSPECTION                                       MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                                                        Page 7\n\n\n ACCOUNTABILITY\n AMB is responsible for the oversight of inventory management and the\n reconciliation for all technology equipment (i.e., accountable and sensitive property).\n This branch serves as the inventory control point for the acquisition, storage and\n issuance of IT equipment.\n In this review, we were unable to determine the total number of laptops within the\n SEC, and therefore, we concluded that sensitive property is not being appropriately\n controlled. The reason this has occurred is due to the lack of oversight over non-\n inventoried (sensitive) property. Accountability of sensitive property is crucial\n because sensitive property and the data that resides on the equipment could\n negatively affect the SEC\'s image. For example, an SEC laptop could have sensitive\n and valuable information pertaining to an ongoing enforcement investigation. If the\n laptop containing this information were lost or stolen, proprietary and stock-related\n information could be used improperly.\n  We are aware of OIT\'s future plans to encrypt all laptops so that data will not be\n  assessable in the event it is loss. We commend OIT for this needed security control.\n  Although encryption can mitigate the risk that data is illegally accessed, it still does\n. not eliminate the need to have proper accountability over the equipment. AMB has\n  not established and ensured consistent implementation of effective controls for\n  accountability. They are in the process of revising the procedures, however, most of\n  the current procedures primarily address accountable property, and very little is\n  discussed about how to account for sensitive property such as laptops.\n In performing this inspection we asked AMB how they accounted for and tracked\n laptops to users within the SEC. They responded that since laptops were not\n accountable property, they do not have a policy in-place to account for them other\n than through SMS. They also stated that they recently developed a\n hardware/software release report and can provide the Form 406A (supporting\n property transaction forms) for the equipment identified in the report. However, we\n found that the report only shows equipment that has been released since January\n 2007. Prior to the release report, a centralized record for laptops was not in\n existence for laptops that were assigned to a specific user. Therefore, based on the\n information received from AMB and our review, we concluded that the SEC does not\n have appropriate control over its laptops and is unable to trace ownership of laptops\n to a specific SEC employee. This problem exists for two reasons. First, laptops are\n not accountable property, and therefore, AMB does not have a policy or procedure to\n account for them. Secondly, as outlined below, the process for issuing laptops is\n confusing and the information on the Form 406A is inaccurate or incomplete.\n Issues with the Property Transaction Form 406A\n The lack of accountability with individual users of IT equipment poses a risk of loss,\n theft, and misappropriation2 . AMB\'s current process relies on the Form 406A as its\n record of who is accountable for the equipment. From the data AMB provided we\n could not determine what individual employees were accountable for the equipment\n because the Form 406A was incomplete and inconsistently applied.\n\n 2 "As used in this report, theft and misappropriation both refer to the unlawful taking or stealing of personal property, with\n misappropriation occurring when the wrongdoer is an employee or other authorized user."\n CONTROLS OVER LAPTOPS INSPECTION                                                                        MARCH 31, 2008\n INSPECTION 441\n\x0c                                                                                Page 8\n\n\n\nA judgmental sample pulled from the hardware and software release report of the\ncompleted Form 406A on file with AMB revealed that the procedures are\ninconsistently implemented. We found that there were important details missing\nfrom the form such as, the contact information of the person receiving the laptop\n(printed name, phone and room number), as well as, the details of why the\nequipment was given to the person (i.e., new employee, loaner) Specifically, we\nfound the following issues:\n   \xe2\x80\xa2   Remarks indicated equipment was released to employees who did not have\n       possession of the equipment.\n   \xe2\x80\xa2   Laptops were released to individuals that we could not locate or determine if\n       they were employed by SEC.\n   \xe2\x80\xa2   Laptops appeared to be released as loaners and did not show that they were\n       returned.\n   \xe2\x80\xa2   Laptops were given to other SEC employees whose names did not appear on\n       the form.\nThe lack of user level accountability and inaccurate records on status, location, and\nitem descriptions make it difficult to determine who is responsible for laptops and\nthe data on the equipment.\n\n\nRecommendation D\nOlT, through AMB should revise the procedures to establish clear accountability for\nlaptops. Among these procedures there should be included a requirement that\ndocuments the issuance and receipt of the equipment to a specific SEC employee.\n\n\nRecommendation E\nOAS should specify a form to account for sensitive property. This form needs to\ninclude contact information of the person receiving the equipment (i.e., printed\nname, number, email, and location).\n\n\n\nDISCUSSION OF MANAGEMENT COMMENTS\nCommission management concurred with all of our five recommendations. Their\nformal written response is included as Appendix C.\n\n\n\n\nCONTROLS OVER LAPTOPS INSPECTION                                       MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                Page 9\n\n\n                                                                   APPENDIX A\n\n\nDefinitions/Criteria from GAO, OMB and SEC\'s\nInternal Policy and Procedures\n\nTRAQ. The Official Agency Accountable Property System used to record all\ntransactions for accountable property.\nAccountable Property. Identifies items of personal property with an acquisition\ncost of $5,000 and above and all leased property regardless of dollar value.\nAccountable property must be tracked on individual property records in TRAQ and\nis subject to annual wall to wall inventories.\nSensitive Property. Items designated by a Director or Office Head to have\ncharacteristics deemed sensitive because they are potentially pilferable, dangerous,\nvital to continued operations, or if lost could negatively affect the Agency\'s image.\nMicrosoft Systems Management Server. An automated discovery tool used on\nthe SEC network. It allows SEC to capture information for equipment attached to\nthe network, and distribute relevant software and updates to SEC workstations.\nSMS also provides useful reporting functions against any SEC workstation with\nSMS Client software installed.\n\nProperty Management Program SECR 9-2, dated July 2003. Prescribes the\npolicies and procedures used in accounting for personal property purchased, leased,\nor loaned by the SEC. It applies to all SEC employees. Its overall objective is cost\neffective accounting, tracking, and proper use of government property and its\nremoval, transfer, or other disposal in an authorized and appropriate manner. This\npolicy states that the SEC has determined it does not have any sensitive items.\n\nProperty Management Program Manual SECM 9-1, dated July 2003.\nProvides guidance and instruction on implementing the SEC\'s Property\nManagement Program (PMP) and supplements the regulations found at SECR 9-2\nand the operating instructions for the PMP automated tracking system. It\ndesignates OIT as responsible for assigning IT equipment to Divisions/Offices; for\ntransferring and moving equipment from one Division/Office to another, including\nregional offices, and documenting the assignments/transfers on Form 406A.\n\nGAO, Standards for Internal Control in the Federal Government, dated\nNovember 1, 1999. Requires agencies to establish physical controls to safeguard\nvulnerable assets, such as IT equipment, which might be vulnerable to risk ofloss.\n\nOMB Circular No. A-123, dated December 21, 2004. States funds, property, and\nother assets are safeguarded against waste, loss, unauthorized use or\nmisappropriation.\n\n\nCONTROLS OVER LAPTOPS INSPECTION                                      MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                 Page 10\n\n\n                                                                . APPENDIXB\n\n\n                LIST OF RECOMMENDATIONS\n\nRecommendation A\nOAS should revise its draft policy to identify Commission-wide sensitive items and\nallow the Directors/Office Heads to determine if they have additional items that\nshould be deemed sensitive.\n\n\nRecommendation B\nOAS should require a method of accountability for sensitive property that will\nensure that SEC has an accurate accounting of laptops.\n\n\nRecommendation C\nOIT, through AMB should complete a full inventory of laptops to establish a baseline\nlevel.\n\n\nRecommendation D\nOIT, through AMB should revise the procedures to establish clear accountability for\nlaptops. Among these procedures there should be included a requirement that\ndocuments the issuance and receipt of the equipment to a specific SEC employee.\n\n\nRecommendation E\nOAS should specify a form to account for sensitive property. This form needs to\ninclude contact information of the person receiving the equipment (i.e. printed\nname, number, email, and location).\n\n\n\n\nCONTROLS OVER LAPTOPS INSPECTION                                     MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                            Page 11\n\n\n                                                                APPENDIXC\n\n                 MANAGEMENT\'S COMMENTS\n\nMarch 14,2008\n\n\nTo:   Renee Stroud\n      Manager for Information Technology Audits\n      SEC,OIG\n\nFrom: Cathy English\n      Acting, Associate Executive Director\n      Office of Administrative Services\n\nRe:   Comments to Draft Laptop Controls Inspection Report\n\n\nThank you for including us in the Review of the Draft Laptop Controls Inspection\nReport. Our comments reflect the Office of Administrative Services perspective\nand responsibilities and focus on overall policy for SEC-wide property and do not\naddress OIT specific concerns or processes.\n\nWe agree with your position that laptops should be deemed sensitive items and\nshould be annually inventoried and have internal controls in place. Our overall\nconcern is distinguishing the difference between the accountability processes for\nsensitive items versus accountable and capitalized items. We agree with\nRecommendations A & B, but hope the language can be clarified to avoid\nconfusion.\n\nWe suggest that Recommendation A be reworded to read the following:\n\nOAS should revise the SEC\'s draft policy to identify Commission-wide sensitive\nitems and allow the Directors/Office Heads to determine if they have additional\nitems that should de deemed sensitive. The policy should also require that\nDirectors/Office Heads who manage those sensitive items should have in place\ninternal controls, which may include receipt signatures, separate listings and/or\nlimited access. Sensitive items which do not meet the accountable and\ncapitalized property thresholds will not be included in the Accountable and\nCapitalized Property System (TRAQs).\n\nWe suggest that Recommendation B be reworded to read the following:\n\nOAS should revise the SEC draft policy to require Directors/Office Heads to\n\nCONTROLS OVER LAPTOPS INSPECTION                                    MARCH 31,2008\nINSPECTION 441\n\x0c                                                                          Page 12\n\n\nconduct annual inventories of sensitive items such as laptops.\n\nFinally, we suggest that Recommendation E be revised to help further avoid\nconfusion of the accountable and sensitive property processes by using the form\nSEC 2040 (8-83) Hand Receipt for Sensitive Items, rather than the form 406A.\nWe suggest that Recommendation E be reworded to read the following:\n\nOAS should revise the form 2040 (6-83) to include contact information of the\nperson receiving the equipment (i.e. printed name, number, e-mail, and location.\n\nAgain, thanks for the opportunity to comment.\n\n\n\n\nCONTROLS OVER LAPTOPS INSPECTION                                  MARCH 31, 2008\nINSPECTION 441\n\x0c                                                                                                                        Page 13\n\n\n                                                                                                   APPENDIXC\n\n         MANAGEMENT\'S COMMENTS (cont.)\n\n\n\n\n         :\'bn"ch 31, 2008\n\n\n         TO:              David .K.otz\n                          Tl}ijJ)cetor General\n\n         f1tOM:           CfII\'ey Thwllh   IIltt/\n                          ChierlntQrm!l~-?OrJiCl.:T\n         Re:              Comml:1W on laptop COlltl\'fil!\' audir (Nf). 441)\n\n         Thmk you for yow\' office\'" hurd wwk on this inspection, and fot HI e UPPl,lr!Unity to review\n         lind conuncnt au the fil1djll~~. AI) yuulrnuw, we fully support the agency\';! c;\'jhrL~ to\n         impTllyt~ i~ inte:md controls., <lnd erl!.utin~ appropriate !lccDUnt:!blJity O\\\xc2\xb7-er the agency\'s IT\n         equjpm~l i& clC(lrly a."l impo.rrant iRsue.\n\n\n         \\Vc OOllcur with the mG\',," Ill<se~~IT.I(:[ltthat "\'"e should impnwe aUL:Oun tl\'bility o~!cr\' JaJ}top->.\n         Thi~ impr(JI.,\\:d tlcooWltability lllArlh widl the d~sigllatiOJl of laptafts ll~ 1tt:T1>liLiw,: property. We\n         J)grt:~ thllt this d;;signlltion is warrarll.cll h:=":Ul)8t; lIUhough Japrops are I\\OLIlLllerwitJ<;l wvcrcd\n         wIder Lht: a~n\\;y\'!> 8Ct\'lluntalJle-propetty contmll\' bet:illl~c uf tIleir (jdJar v:llue, [hey are\n         Ilcvm1heJ.es.,> valuablt: llnd bighlyportalJle pieces of e~uij1mentthl\xc2\xa2 should be managed\n         appropritlrely CO f1mt~~t lhl.: agency\' s ima?;~. Some conCt=m ~ v>ere lllm rnised during the aulB\n         rogm:ding rhe sen ~ iti ~\'\': nll(v~ Q[ tho.; infunnalion srored (} n agen~y I~wps, :md the pat<mtial\n         ri::lks of comprollli~in8[lIe OlmJidcTltililit)\' of ;hat infollllluion. I rOW~,.:T> orr is curJemly\n         r,:n,l.:I\'ypting all laptops IbroughllUL thv SEC; fuc ini.tiative wilt be c(lmplell: by the coo of JWl~\n         2008. which should rcJlJ~\' 1tliR ril\'k rIl:X I~bl~ guing forward. As a remlt, OUt primary\n         Corl~rn i ~ .\'4 fT the vaIn e of the h:lrol;l:<,re lli;llebL\n\n\n         The fCPOlt re~(\'Ill1mJ:l1dll lJ.liet of specific mea."ues 10 i mpmy J: Ji!pWp aCl:ountllbiliry,\n         including J\'egular] j" SoCII edu kll i:JVCIltOl1CS tlnd impr-oved docurnen lJlli(ln (lfllfJJOOP issu:mc:e.\n         We intend ro do so 1Yith a CllmbiIl.lltion of autQlllated tools and mlUluul I:ffort. We will also\n         work closely wilh .he 0 lTil:~ of Administrative ScrvicC3 to en~UI\'e tCI<II\'\\li naUOO W a pulicy\n         ll:vd, as well as with tIl e 1/llfil1UR other he~dgu~rtcrr. and regional offices whose IT sp.;lI:ill1ists\n         diillnolJW, main_ aud uanstetlaplop!- ~l1l)lbcr C\'quipmcnt \'Within those offi.:;es.\n\n         w~ IIm1 ILJrwar~l W impl.;mcntin,g these mell:\'>UJ\'e!\' to illlftMve luplllI\' IJ\xc2\xa3,:OOuuta\\)ility ao(f\n         cvnn\'oL We appre~i0le Lbe OTG\'s ongoing su~port in ~lpjJlg 11.<: buHull mme dfcctivc\n         infonnaticll tecllllology fl!\'0!,\'T\'llm r(lI\' the Commission.\n\n\n\n\nCONTROLS OVER LAPTOPS INSPECTION                                                                           MARCH 31, 2008\nINSPECTION 441\n\x0c'